Posted
Security Operations Automation & Response (SOAR) platforms are now widely deployed as a way to address an ever-increasing volume of attacks. From automating the response to phishing emails to more sophisticated playbooks, SOAR platforms are producing positive results. Still, security teams recognize that not everything can be automated, and even what can be addressed with SOAR often has room for improvement.
This post showcases how Polarity can make a SOAR platform work even better with data awareness and recall. Although the scenario below showcases the Polarity integration with Phantom, the example could also improve the work teams do with SOAR platforms like Demisto, Swimlane, and others.
Even experienced analysts will say that it’s not always easy to see which entities or artifacts have been processed by their SOAR playbooks. This can be an issue when investigating alerts since the response could be delayed or even completely missed.
It’s easy to imagine a scenario where an analyst sees a questionable IP in a firewall log. Although the team uses a SOAR platform, it’s not clear if an investigation playbook actually executed against the IP in question. The analyst is forced to search the SOAR platform to find the alert, and then take the steps needed to run a playbook if the alert wasn’t already remediated (e.g. create a container in Phantom, and then execute an automation).
Contrast that scenario with an analyst who is using Polarity:
An analyst sees a questionable IP in a firewall log. Polarity highlights it on the screen because the integration with Phantom automatically shows information about the IP including whether an automation has completed.
The analyst can instantly see a playbook history for the IP and view the results, or run a playbook in Phantom without needing to create a container.
Polarity gives the analyst instant context for the IP, showing whether or not the SOAR platform executed a playbook as well as enabling the analyst to seamlessly start an automation if still needed to address the alert. This ensures all alerts are handled, and in a timely manner.